Another government security foul-up

A security breach of a Sarasota County, FL elections system underscores the point about which I repeatedly write-the general insecurity of government networks is a growing public risk. The sad thing is that simply following security best practices would have probably prevented this incident. Even sadder is that the list of recommended remediation steps appears to be reactionary rather a proactive approach to preventing future attacks.

According the completed incident report, a variant of the Slammer worm caused a two-hour outage of the county voter verification Internet service. The attack, which began at 2:46 PM on October 23, 2006, was successful because the infected server was 5 years behind on patches. Yes, I said 5 years behind. For example, the specific patch that would have prevented this attack was MS 02-039 released in 2002. But how did the worm get into the network in the first place?

A known problem with the firewall used by the county allowed UDP packets that wouldn't normally reach the unpatched server to pass unimpeded when the firewall failed.

So in addition to immediate remediation steps, what recommendations were made to ensure this type of incident doesn't reoccur?

Implement additional smart defense rule for massive UDP traffic to help detect and stop this type of traffic before it brings down the firewall. This appears to be moving in the right direction, but shouldn't the network team have known about this weakness before the incident? What steps were taken to shore up this vulnerability? What processes are in place to identify announced vulnerabilities in LAN/WAN devices?

Locate servers where the OS and application updates are out of date and update as necessary. Again, a valid step. However, was there a failure of a patch management process or does the process not exist? Reacting to an incident by updating patches might be the right path for previously unknown vulnerabilities. This is definitely not the case here. What proactive steps will the county take to ensure critical security patches are quickly applied in the future?

Add SQL and Oracle versions to the lists of apps to scan for during bi-weekly server scans.

OK. Not a bad list, but it doesn't go far enough. Further, what happened to anti-virus software? No mention of it is made in the incident report. Wouldn't a recommendation about not placing servers on the network without anti-malware support be in order?

There is also a statement in the incident that reads, "The… server was never intended to be accessible from the public Internet." So? What difference does it make if a server was "intended" to be accessible from the Internet? Sarasota County apparently hasn't heard about layered security controls. This is a prime example of relying on one layer (the firewall) without implementing additional controls in the event it fails or is cracked.

In my opinion, this is one more example of why government entities-at any level-should not be allowed to manage centralized databases containing critical information. Even in an environment in which government information leaks are the flavor of the day, we are asked to put additional trust in the ability of our public officials to protect our identities as well as elements of national defense. I have one thing to say-NUTS!

---------------------------------------------------------------------------------------------------Check out my book, Just Enough Security, at Amazon.com

1 Comments

My blog entry is additional information that supplements the FLOSS Impact Report commissioned by the EU:http://ec.europa.eu/enterprise/ict/studies/publications.htm

The Report is linked under:

Final Report. Study on the Economic impact of open source software on innovation and the competitiveness of the Information and Communication Technologies (ICT) sector in the EU. Final Report. Nov. 20, 2006. R.A. Ghosh, UNU-MERIT, NL. et al., 287 pp.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.